CISA Directs Agencies to Mitigate Ivanti Zero-Day Exploits

U.S. federal agencies using Ivanti Connect Secure and Ivanti Policy Secure solutions are being ordered to implement mitigations and remove compromised products.

See Also: OnDemand | Integrating Splunk and Panther for Real-Time Alerting and Custom Dashboarding

The Cybersecurity and Infrastructure Security Agency issued an emergency directive Friday in response to evidence of threat actors mass-exploiting two critical zero-day vulnerabilities in Ivanti’s popular VPN and network access control solutions. Research suggests more than 2,100 Ivanti appliances worldwide have been compromised with a web shell backdoor. Known victims including Fortune 500 companies, governments and a variety of sectors, including defense, finance, technology and consulting.

Cybersecurity firm Volexity, which on Jan. 10 first published details about the flaws, said it suspected Chinese state attackers had been the culprits. In the days since, other hackers have rushed to take advantage of the vulnerabilities, including at least one instance of cryptojacking, Volexity has found.

CISA Executive Director for Cybersecurity Eric Goldstein described the vulnerabilities as “a rapidly evolving situation” during a Friday phone call with reporters. Fifteen agencies using the affected products must implement temporary mitigation measures pending a patch, which still does not exist for either exploit. “We are not assessing a significant risk to the federal enterprise,” Goldstein said. “But we know that the risk is not zero.”

Ivanti said the patches won’t be available until Jan. 22 and will then be deployed in a staggered manner. The company has detailed mitigation steps, although they only head off future attacks and don’t remediate already-compromised devices. In an update, Ivanti said hackers are likely planting web shells to maintain persistent access even after the patch has been made, leading the firm to recommend revoking and replacing private certificates after applying the patch.

Goldstein declined to say which agencies use the products or whether threat actors had successfully gained access to federal systems. CISA is investigating attempts from threat actors to exploit the vulnerabilities to target government networks.

Ivanti confirmed earlier this month that the two vulnerabilities, tracked as CVE-2023-46805 and CVE-2024-21887, allow threat actors to establish persistent system access and move laterally across a target network while performing data exfiltration operations. CISA said it had determined an emergency directive was necessary based on the widespread exploitation of these vulnerabilities by multiple threat actors and “prevalence of the affected products in the federal enterprise.”

Ivanti initially sought to tamp down concerns about likely Chinese nation-state hackers exploiting the unpatched flaws by stating it knew of fewer than 10 customers that showed signs of intrusion. The flaws affect the firm’s Connect Secure VPN appliance, formerly known as Pulse Secure, and Ivanti Policy Secure (see: Suspected Chinese Hackers Exploit 2 Ivanti Zero-Days).

Volexity in a Monday post said scanning had revealed evidence of more than 1,700 compromised devices across the globe. Ivanti in a Tuesday update said its scanning had showed results “consistent with Volexity’s newly released observations.” Volexity on Thursday bumped up the number of apparently infected devices to 2,100.

Threat intelligence firm Mandiant in a recent blog post said that it has identified five malware families used to exploit Connect Secure and Policy Secure. “These families allow the threat actors to circumvent authentication and provide backdoor access to these devices,” Mandiant said.

With reporting from Information Security Media Group’s Mihir Bagwe in Mumbai, India